Microsoft on Tuesday issued 12 software patches, six of which covered vulnerabilities the company designated as “critical.” The patches were part of Microsoft’s regular Patch Tuesday security bulletin.
TechNewsWorld spoke with Ashar Aziz, CEO and founder of network malware security firm FireEye, to find out how dangerous these vulnerabilities were as well as what to expect in future Patch Tuesdays now that Vista is on the market.
TechNewsWorld: Twelve patches, one which fixed a vulnerability insome of Microsoft’s security applications — how bad, exactly,were these vulnerabilities?
These are very serious flaws that allow remote codeexploitation on the processing of PDF or Word files.These are just the kinds of flaws that permit targetedattacks to penetrate into corporate networks, sincePDF and Word files are typically permitted asattachments past corporate e-mail gateways.
These vulnerabilities are extremely dangerous tocorporations since they enable targeted attacks thatbypass traditional security filters and firewalls.Because common file types like PDF are usually allowedthrough security scanners and firewalls, maliciousparties can establish a beachhead in the enterprisenetwork and utilize remote code execution to buildbotnets.
TNW: Corporations are clearly the target of hackersthese days. Do you think their customers are atgreater risk as a result?
Yes, absolutely. In addition to an increase inmalicious software attacks, the threat is becomingincreasingly more dangerous to corporations and theircustomers alike. Malware has evolved from loud andinfectious worms — often intended to grab headlines –into stealthy and monetized crimeware aimed atdiscretely stealing corporate assets withoutdetection. In many cases, crimeware is out to getsensitive customer data, which could lead to seriousreputation damage, especially for a retailer. Look atwhat TJX and its TJ Maxx stores have recentlyexperienced.
TNW: Do you foresee a day when the situation improves?
Patch Tuesday is hardly a surprise [anymore] givenhow crimeware is escalating and becoming increasinglydifficult to prevent. As a result, we can expect tosee even more patches in the future.
TNW: Are there any additional security measurescompanies can take?
Software patches are a good first step, but theyare essentially just a band-aid on a wound. The goodnews is that with a patch, the organization knowsabout the threat and can work to repair damage. Butthis is the mere tip of a much larger iceberg. Whatabout the threats that have not yet been detected? Howdoes an organization protect against stealthycrimeware that flies under the radar? Patches arejust one line of defense, and hardly enough given thedamage that crimeware can cause today. Companies mustexplore solutions that detect and capture malwarebefore it even enters the network.
On patches, the industry talks about zero-dayprotection as if this will adequately address asecurity threat such as a malicious bot aimed atmining sensitive customer data. But zero-day startswhen the patch is issued to the world. What aboutthat dangerous window from when the crimeware wasfirst introduced until the patch was available. Thatwindow of vulnerability is typically over 12 monthsand often even up to three years or more.Organizations need a line of defense to close thatwindow if they want true zero-day protection. Patchesalone won’t suffice.
TNW: What do you think of Vista’s security measures?
It is not uncommon to see a rash of securitypatches for a new product, and indeed we are startingto see them for Windows Vista. Vista is safer thanprevious releases, but its absolute security is stillin question. It is difficult to construct large,complex systems that are inherently secure usingcurrent generation software developmentmethodologies. We believe that serious security flawswill be discovered in Vista, although the bar to findsuch flaws has been raised higher than in previousreleases. You can almost expect that for a newproduct. But we are still seeing patches for productsthat have been on the market for many years, includingWindows XP, Office and Internet Explorer.
There are over 100 million lines of program code inVista. Even if we assumed an extremely low rate ofsecurity bugs, the sheer complexity of Vista meansthere will be security bugs. A security bugrate of 0.001 percent would mean there are over 1,000 securitybugs yet undiscovered in Vista.
Vista includes a new networking stack. Historically,networking code has been the source of many securityholes. New code that has not been field-tested foryears is highly likely to contain security flaws,despite the best efforts of its authors. Again, thisunderscores the real threat — stealthy crimeware thatgoes undetected for years. Manyare saying that Vista is not secure. Patches andadditional security features for Vista will help, butorganizations must approach this at the network level,not just at the operating system or application.